Restricted-Use Data Procedures Manual

Transcription

1 Restricted-Use Data Procedures Manual U.S. Department of Education Institute of Education Sciences National Center for Education Statistics IES Data Security Office 1990 K Street, NW Washington, DC Acrobat PDF Version August 2011

2 Publication Information U.S. Department of Education Arne Duncan Secretary Institute of Education Sciences John Q. Easton Director National Center for Education Statistics Jack Buckley Commissioner The National Center for Education Statistics (NCES) is the primary federal entity for collecting, analyzing, and reporting data related to education in the United States and other nations. It fulfills a congressional mandate to collect, collate, analyze, and report full and complete statistics on the condition of education in the United States; conduct and publish reports and specialized analyses of the meaning and significance of such statistics; assist state and local education agencies in improving their statistical systems; and review and report on education activities in foreign countries. NCES activities are designed to address high priority education data needs; provide consistent, reliable, complete, and accurate indicators of education status and trends; and report timely, useful, and high quality data to the U.S. Department of Education, the Congress, the states, other education policymakers, practitioners, data users, and the general public. We strive to make our products available in a variety of formats and in language that is appropriate to a variety of audiences. You, as our customer, are the best judge of our success in communicating information effectively. If you have any comments or suggestions about this or any other NCES product or report, we would like to hear from you. Please direct your comments to: National Center for Education Statistics Institute of Education Sciences U.S. Department of Education 1990 K Street, NW Washington, DC The NCES Home Page is: Printed April 1996 (NCES publication number: 96860rev) Reprinted October 1999 Acrobat PDF Version August 2011 Content Contact: IESData.Security@ed.gov 2

3 Restricted-Use Data Procedures Manual This manual will be provided to organizations interested in obtaining restricted-use data, and to licensed organizations who currently have access to restricted-use data. The goal is to maximize the use of statistical information, while protecting individually identifiable information from disclosure. The Restricted-Use Data Procedures Manual was created to provide a guide to the restricted-use data application process, as well as to explain the laws and regulations governing these data. We hope that this manual answers any questions or concerns you may have regarding obtaining access to restricted-use data. IMPORTANT This manual serves as a procedures guide, but it does not replace the provisions of the actual License document and the required security procedures. The licensee is responsible for all terms and provisions within the License and the required security procedures. Under no circumstances may the database be removed or telecommunicated from the licensee's site. Licensees are subject to unannounced, unscheduled inspections to assess compliance with security requirements. Violations of the Education Sciences Reform Act confidentiality provisions incorporated in the License document are subject to a class E felony and can be imprisoned up to five years, and/or fined up to $250,000. 3

4 Table of Contents Page Introduction 7 Restricted-Use Data 7 Public-Use Data 7 Overview of Laws 7 Licensing Procedures 7 Security Procedures 8 On-Site Inspections 8 Laws Basic Statutes Privacy Act of Privacy Standards 9 Computer Security Guideline E-Government Act of 2002, Title III, Federal Information Security 9 Management Act (FISMA) 1.4 Education Sciences Reform Act of Confidentiality Standards 10 Violations USA Patriot Act of E-Government Act of Licensing Procedures What Data Are Licensed 12 Only Restricted-Use Data Are Licensed 12 Available Restricted-Use Databases What is a License? 12 Memorandum of Understanding 12 License 12 Contracts 13 Content of License Documents Who Needs a License Document 13 Matching Organizations to License Documents 13 Restricted-Use Data and IES Staff 14 Pre-test Monitoring 14 Contractors Applying for a License 15 Summary of Procedures 15 Formal Request 15 License Document 17 Affidavits of Nondisclosure 17 Security Plan Form 18 Receiving the Requested Materials 18 4

5 Page 2.5 Required Licensee Activity 19 Maintaining the License File 19 Submitting Research Publications 20 Passing On-Site Inspections 20 Outside Requests for Data Amending a License 21 Add User Amendment 21 Delete User Amendment 22 Add Database Amendment 22 Modify Security Plan Amendment 23 Extend License Amendment 23 Close-Out License Amendment Applicant/Licensee Record 25 Security Procedures Introduction 28 Basic Statutes 28 IES Statutes 28 Other Statutes Risk Management General Security Requirements 29 Assign Security Responsibilities 29 Complete Security Plan Form 30 Restrict Access to Data 30 Use Data at Licensed Site Only 30 Respond to Outside Request for Subject Data 31 Return Original Data to IES Physical Handling, Storage, and Transportation 31 Protect Machine-Readable Media and Printed Material 31 Avoid Disclosure from Printed Material Edit for Disclosures Only One Backup Copy 32 Limit Transporting of Data Computer Security Requirements 32 Standalone Computer Limit Room/Area Access Standalone Desktop Computer Security Model Passwords Notification (Warning Screen) Read-only Access No Connections to Another Computer Lock Computer and/or Room Automatic Shutdown of Inactive Computer Do Not Backup Restricted-Use Data

6 Staff Changes Overwrite Hard Disk Data 3.6 License User Training On-site Inspections On-Site Inspection Procedures 37 License Procedures 37 Security Procedures and Security Plan Form On-Site Inspection Guideline Violations, Penalties, and Prosecution 38 Violations 38 List of Most Common Violations 39 Prosecution and Penalties 39 Page Appendices Appendix A Definition of Terms 40 Appendix B Public-Use Data 43 Appendix C Privacy Act of Appendix D IES-Specific Laws 45 Appendix E Memorandum of Understanding 48 Appendix F License Document 49 Appendix G Affidavit of Nondisclosure 50 Appendix H Restricted-Use Databases 51 Appendix I Availability of Restricted-Use Data 52 Appendix J Security Plan Form 53 Appendix K On-Site Inspection Guideline 54 Appendix L E-Government Act of 2002, Title V, Subtitle A, Confidential 55 Information Protection Appendix M Close-out Certification Form 56 6

7 Introduction Restricted-Use Data The Institute of Education Sciences (IES) collects survey and research data containing individually identifiable information, which is confidential and protected by federal law. IES uses the term "restricted-use data" for such information. The terms restricted-use data and "subject data" are synonymous. (See Appendix A, Definition of Terms.) Public-Use Data IES uses the term "public-use data" for survey data when the individually identifiable information has been coded or deleted to protect the confidentiality of survey respondents. Access to public-use data does not require a license, for these data are available to the general public. For more information on public-use data, see NCES online catalog at Overview of Laws The relevant laws about survey data that contain individually identifiable information are found in the following statutes. More information on these laws is in Chapter 1: The Privacy Act of 1974 and the Computer Security Act of 1987 provide for the security and privacy of personal data maintained by the federal government. These laws pertain to all restricted-use data. Unlawful disclosure is a misdemeanor and is subject to a fine up to $5,000. The E-Government Act of 2002, Title V, subtitle A, Confidential Information Protection mandates the protection of individually identifiable information that is collected by any federal agency for statistical purposes. Unauthorized disclosure of these data is a class E felony, punishable by up to five years in prison, and/or a fine up to $250,000. The USA Patriot Act of 2001 amended NESA 1994 by permitting the Attorney General to petition a judge for an ex parte order requiring the Secretary of the Department of Education to provide NCES data that are identified as relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism to the Attorney General. The Education Sciences Reform Act of 2002 requires IES to collect, analyze, and disseminate education data and to protect the confidentiality of individually identifiable information. An unauthorized disclosure is a class E felony, punishable by up to five years in prison, and/or a fine up to $250,000. Licensing Procedures IES will lend restricted-use data only to qualified organizations in the United States, using a strict licensing process described in Chapter 2. Individual researchers must apply through an organization (e.g., a university or a research institution). To qualify, an organization must submit: An online Formal Request through the NCES electronic application system, see: a signed License document (see Appendix F), 7

8 executed Affidavits of Nondisclosure (see Appendix G), and a signed Security Plan Form (see Appendix J). Security Procedures Restricted-use data must be kept secure at all times. Secure means that the data are protected from unauthorized access or disclosure in accordance with the terms of the License and the specified security procedures outlined in the Security Plan Form. The security procedures described in Chapter 3 include the computer security requirements for the standalone, desktop computer configuration. On-Site Inspections Under the terms of the License, IES has the right to conduct unannounced, unscheduled inspections of the data user's site to assess compliance with the terms of the License and the required security procedures. The inspection procedures are described in Chapter 4. 8

9 Chapter 1: Laws 1.1 Basic Statutes The protection of survey databases that contain individually identifiable information is founded on the following statutes: Privacy Act of 1974, E-Government Act of 2002, Title III, Federal Information Security Management Act (FISMA), Education Sciences Reform Act of 2002, USA Patriot Act of 2001, and E-Government Act of Privacy Act of 1974 The Privacy Act of 1974 states that federal agencies are required "to collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that adequate safeguards are provided to prevent misuse of such information." To do this, the law protects the privacy of personal data maintained by the federal government. It imposes numerous requirements upon federal agencies to safeguard the confidentiality and integrity of personal data, and puts limits on the use of the data. (For the full text of the law, see Appendix C.) Privacy Standards Under the direction of the Office of Management and Budget, federal agencies issue policies, standards, and guidelines for protecting personal data under this law. Computer Security Guideline A key standard for this law is the Federal Information Processing Standard Publication (FIPSPUB) 41, Computer Security Guidelines for Implementing the Privacy Act of FIPSPUB 41 provides guidance to ensure that government-provided individually identifiable information is protected in accordance with federal statutes and regulations. 1.3 E-Government Act of 2002, Title III, Federal Information Security Management Act (FISMA) The law is enacted to provide a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets." FISMA requires each agency to develop, document, and implement an agencywide information security program providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of (i) information collected or maintained by or on behalf of the agency; and (ii) information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. 9

10 1.4 Education Sciences Reform Act of 2002 The Education Sciences Reform Act of 2002 (ESRA 2002) authorizes the Institute of Education Sciences (IES) to collect and disseminate information about education in the United States. Collection is most often done through surveys. This Act, which incorporates and expands upon the Privacy Act of 1974, requires strict procedures to protect the privacy of individual respondents. This Act replaces the National Education Statistics Act of 1994 (NESA 1994). (For the full text of the law, see Appendix D.) Confidentiality Standards Individually identifiable information about students, their families, and their schools cannot be revealed. No person may: use any individually identifiable information for any purpose other than a statistical purpose, except in the case of terrorism (see USA Patriot Act below); make any publication whereby the data furnished by any particular person can be identified; or permit anyone other than the individuals authorized by the IES Director to examine the individual reports. The Act requires IES to develop and enforce standards to protect the confidentiality of students, their families, and their schools in the collection, reporting, and publication of data. The IES confidentiality statute is found in Public Law , section 183 (or as codified in 20 U.S.C. 9573). Violations Anyone who violates the confidentiality provisions of this Act when using the data shall be found guilty of a class E felony and can be imprisoned up to five years, and/or fined up to $250, USA Patriot Act of 2001 The USA Patriot Act of 2001 amended NESA 1994 by permitting the Attorney General to petition a judge for an ex parte order requiring the Secretary of the Department of Education to provide NCES data that are identified as relevant to an authorized investigation or prosecution of an offense concerning national or international terrorism to the Attorney General. Any data obtained by the Attorney General for these purposes must be treated as confidential information, consistent with such guidelines as the Attorney General, after consultation with the Secretary, shall issue to protect confidentiality. This amendment was incorporated into ESRA (For the full text of the law, see Appendix D). 10

11 1.6 E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection Following the enactment of the Patriot Act, the 107th Congress enacted the E-Government Act of 2002, Title V, Subtitle A, Confidential Information Protection (CIP 2002) which requires that all individually identifiable information supplied by individuals or institutions to a federal agency for statistical purposes under a pledge of confidentiality must be kept confidential and may only be used for statistical purposes. 1 Any willful disclosure of such information for nonstatistical purposes, without the informed consent of the respondent, is a class E felony, punishable by up to five years in prison, and/or a fine up to $250, As amended by Federal Register, 62:

12 Chapter 2: Licensing Procedures 2.1 What Data Are Licensed Only Restricted-Use Data Are Licensed When IES conducts surveys, the data collected sometimes include individually identifiable information, which is confidential and protected by law. 2 Restricted-use data is the term for survey data that contain individually identifiable information. Only restricted-use data are licensed. (Note: Public-use data are not licensed.) The restricted-use data provided to the licensee and all information derived from those data, and all data resulting from merges, matches, or other uses of the data provided by IES with other data are subject to the License and are referred to in the License as subject data. Individually identifiable information includes, but is not limited to, personal data in the following categories: education, financial, medical, employment, criminal, or personal identifiers (e.g., name, number, symbol), and other identifying particulars assigned to the individual (e.g., fingerprint, voiceprint, photograph). Available Restricted-Use Databases The restricted-use databases that are available to organizations in the United States through these licensing procedures are listed at the NCES online catalog at: What is a License? Three similar License documents are used to lend restricted-use data: Memorandum of Understanding, License, and Contract. All three are referred to as Licenses and, when signed, are equally binding on the licensees. Memorandum of Understanding The Memorandum of Understanding is used to provide data to federal agencies or offices, external to IES. A copy of the memorandum is in Appendix E. License The License is used to provide data to non-federal agencies or offices, including organizations working on analysis contracts with IES. Appendix F contains a copy of the License. 2 Because federal laws cannot be enforced outside of the United States, restricted-use data cannot leave the United States. 12

13 Contracts When IES has a contract involving the collection of restricted-use data, the contract boiler plate includes the provisions of the License. Content of License Documents In brief, each of the three License types: defines the information subject to this agreement, specifies the individuals who may have access to subject data (PPO and professional/technical and support staff), describes limitations of disclosure, lists administrative requirements, requires that publications based on the data be sent to IES prior to disseminating them to non-licensed individuals, requires the organization to contact IES in case of (suspected) breaches of security, requires the organization to agree to unannounced and unscheduled inspections, reviews the security requirements for the maintenance of, and access to, subject data, and describes penalties for violations. 2.3 Who Needs a License Document Virtually every organization needs a License document to authorize individual access to restricted-use data. The type of organization determines the specific License document. Matching Organizations to License Documents Type of Organization Congress Federal Agencies * IES Staff Non-Federal Agencies/Groups/Organizations State and Local Agencies Research Laboratories Data Collection Contractor (to IES) Contractor (to IES Contractor) Survey Pre-Tests Analysis Contractor License Document Type Memorandum of Understanding Memorandum of Understanding Oath of office replaces Memorandum; staff must sign a form provided by the IES Data Security Office to obtain the data. License License License * This includes other components of the Department of Education. License "Boiler Plate" in Contract License "Boiler Plate" in Contract License "Boiler Plate" in Contract License 13

14 Restricted-Use Data and IES Staff IES staff are subject to all of the obligations and restrictions protecting restricted-use data. Further, IES staff are not authorized to issue restricted-use data files. Any in-house staff needing access to restricted-use data must request and obtain clearance through the IES Data Security Office. Staff must sign a form provided by the IES Data Security Office to obtain the data. Staff who have restricted-use data must keep it under lock and key. These data may not be stored on a laptop computer and computer output cannot be left out in the open when not in use. (See Chapter 3, Security Procedures, for full details.) The data may not be removed from the office area. These restricted-use data must be returned to the IES Data Security Office prior to the departure of an employee or Fellow. IES staff should refer all requests for License documents, affidavits, or restricted-use data to the IES Data Security Office. These requests should not be handled by program staff. Pre-test Monitoring Staff perform pre-tests to review the data collection process and to test the validity of the survey instrument. Because respondent data are acquired to test the proposed survey design, the responses collected in this pre-test sampling may contain individually identifiable information and thus may be subject to restricted-use data security procedures. The IES Contracting Office Technical Representative (COTR) who is responsible for conducting these pre-tests, must submit a written description of what is involved in the survey design review to the IES Data Security Office. The COTR must also obtain an executed Affidavit of Nondisclosure from all persons outside IES who will review the survey design and will have access to these data. The COTR will keep all original Affidavits of Nondisclosure in the project file and be able to produce them on request. Contractors An organization or individual performing work under contract must complete the licensing process unless the collection of restricted-use data is required to fulfill the terms of the contract. The conditions spelled out in the License are incorporated in the boiler plate of the contract. Sub-Contractors (to Contractors) are bound by the terms in the contractual agreement of the contractor. Those terms include the provision that data cannot leave the licensed site. Subcontractors needing to use data at a remote site must get their own Licenses. A contractor who proposes to do independent research using the restricted-use data to perform work for IES must submit a formal, written request. If the purpose of the independent research is different from the purpose for using the data as stated in the contract, the contractor must follow the standard application process for obtaining a License (see section 2.4). 14

15 2.4 Applying for a License Summary of Procedures To qualify for and receive restricted-use data, applicants must submit all four documents: Formal Request through the IES online electronic license application system, (see: License Document (see Appendix E or F), Affidavits of Nondisclosure (see Appendix G), and Security Plan Form (see Chapter 3 and Appendix J). The Formal Request will ask for specific items of information. This information will be collected through the IES electronic license application system at: After the initial online Formal Request has been reviewed and approved by the IES Data Security Office, applicants are to prepare, complete and return the signed License, notarized Affidavits, and the Security Plan Form. Mail all documents, signed by the Principal Project Officer (PPO) and Senior Official (SO) to the IES Data Security Office. The IES Data Security Office staff will review the submitted documents for content and completeness. In the online Formal Request, you must demonstrate that the proposed research project meets basic requirements of applicability to education research. The Security Plan Form must be complete and must comply with the Security Procedures outlined in Chapter 3. IES may request additional information regarding the proposed use of the data, the resources available to the researcher to perform the analysis, or other aspects of the project that is deemed necessary. All questions IES has about an organization's application must be resolved in writing prior to the formal approval of the License. The License documents are only submitted to the IES front office for final approval when all required information has been received and the License application is complete. The decision to grant a License is solely that of the Director. The License approval becomes effective on the date of the Director's signature. Formal Request The Formal Request will ask for specific items of information (see checklist below). Your information will be collected through the IES electronic license application system at: 15

16 Formal Request Checklist (1) The name, title, and contact information of the Principal Project Officer (2) The name, title, and contact information of the Senior Official (3) The name, title, and contact information of the System Security Officer (4) The title of the database(s) requested for access (5) A description of the statistical research project and how the restricted-use database will be used and justification for access (6) The names and titles of other persons who will use and access the data (7) The estimated loan period (not to exceed five years) The Formal Request requirements are described in more detail below: (1) The name, title, and contact information of the Principal Project Officer who will oversee the daily operations. To qualify for and receive a restricted-use data License and the restricted-use data, academic applicants must have the rank of post-doctoral fellow or above to serve as the Principal Project Officer (PPO). Visiting professors or scholars cannot be a PPO. Applicants in research laboratories or analytic consulting firms must have the rank of research associate or above to serve in this role. (The PPO is the researcher in charge of the day-to-day operations involving the use of subject data and is responsible for liaising with the IES Data Security Office.) (2) The name, title, and contact information of the Senior Official having the signatory authority to legally bind the organization to the provisions of the License contract. (3) The name, title, and contact information of the Systems Security Officer who will oversee the security of the data. The PPO can also serve as the SSO. (4) The title of the database(s) the organization wants to access. (5) A description of the statistical research project. The description must fulfill the following conditions: explain why the public-use version of the data is insufficient for your research needs, describe the final research objective and use of the data, describe the sector(s) of the community that will be served by the product, and assure IES that the data will not be used for any administrative or regulatory purpose in addition to, or instead of, the statistical purpose described. Note: The purpose of the research for which the data are requested must accord with the purpose for which the survey data were collected. Descriptions of those purposes are in Appendix H. If an applicant requests access to subject data that are currently under an IES Contract/Task Order with the applicant, the applicant must provide: the contract number, and the name of the Contracting Office Technical Representative (COTR). 16

17 (6) The names and titles of other persons who will be accessing the database. Generally, the staff is limited to a maximum of seven (7) persons. Exceptions to this limit may be authorized by the IES Data Security Office. Written documentation authorizing the exception must be obtained from IES. Please note that requests for additional data or amendments to an existing License will only be accepted from the PPO. (7) The estimated loan period necessary for accessing the database. Loan periods are in oneyear increments and may not exceed a five-year period. The loan period starts on the date that IES signs the License document. License Document The License document is a legally binding agreement or contract. License Document Checklist Review the appropriate License document Insert the name of the Agency or organization to be licensed in the appropriate blank(s) The Senior Official (or appropriate government official) signs the License The Principal Project Officer signs the License Indicate loan period (not to exceed five years) Send the original signed License to the IES Data Security Office Affidavit of Nondisclosure An Affidavit of Nondisclosure must be executed for each person who will have access to the data. Affidavit of Nondisclosure Checklist Obtain a notarized Affidavit of Nondisclosure from each person who may come in contact with the subject data, as well as any non-security/police personnel who have key access to the secure project office. (For more information on this requirement, see Chapter 3.) Fill in all requested information on the Affidavit Send the original signed and notarized Affidavits of Nondisclosure to the IES Data Security Office Appendix G contains a copy of the Affidavit of Nondisclosure form. In general, an individual who is not an IES employee and who wants access to licensed individually identifiable information must execute an Affidavit of Nondisclosure and submit it, through a licensed organization, to the IES Data Security Office. IES allows up to seven (7) individuals per License to have access to the subject data. The one-page Affidavit contains: the name of the survey(s) to be accessed (see below), 17

18 an oath or affirmation not to disclose individually identifiable information to any person not similarly sworn, the penalties for disclosure, and the signature and imprint of a notary public. Affidavits are data-specific : they are only valid for the data listed on the form. Include all data names and all subsequent followups that will be needed; for example, the base year data and all subsequent followups. Notarized documents cannot be amended by IES. To access a followup of a listed database or to access data that was not listed on the notarized affidavit, another affidavit must be executed. Organizations must promptly notify IES of any changes in project staff. (See Section 2.6, Amending a License.) Security Plan Form The Security Plan Form contains the detailed procedures for protecting the subject data. Security Plan Form Checklist Review Chapter 3, Security Procedures Fill out the Security Plan Form found in Appendix J Send the original, signed Security Plan Form to the IES Data Security Office Restricted-use data must be kept secure at all times, meaning that the individually identifiable information is secure from unauthorized disclosure or modification. Security procedures are explained in detail in Chapter 3; the Security Plan Form can be found in Appendix J. Note: In lieu of the Security Plan Form, federal agencies must submit documentation verifying that the agency has an approved Certification and Accreditation (C&A) for its IT systems. Federal agencies must adhere to the security requirements set forth in the MOU. Receiving the Requested Materials Once the License is approved by IES, the IES Data Security Office sends the licensee the data and other items. Final Product Package Contents The new licensee receives the License package that includes: a copy of the original License and Security Plan Form copies of the Affidavits of Nondisclosure Restricted-use database media materials and instructional materials to assist the project staff in the use of the data. The data CD-ROM includes a - (1) Warning/Restriction Label (2) Loan Expiration Date 18

19 The package is sent Restricted Delivery - Certified Mail to the licensee. All restricted-use data on CD-ROM are encrypted and require a passphrase to open. The PPO must the IES Data Security Office with a list of encrypted files in order to obtain the needed passphrases. Note: Only one copy of a database in any format can be borrowed at a time. A licensee who has a copy of the database and wants a revised version must return the original via certified mail before the revised version will be sent. (See Section 2.6, Amending a License.) Under no circumstances may the original or a duplicate of the database be removed or electronically communicated from the licensee's secure project office. 2.5 Required Licensee Activity The licensee is responsible for all terms and conditions in the License document, the Security Plan Form and related materials. (See the appropriate License document in Appendix E or F for full requirements.) This section addresses three major administrative requirements: Maintaining the License file, including copies of all executed Affidavits, Submitting research publications for disclosure review prior to publication or access by non-licensed individuals, and The licensee's responsibility to be ready for inspection at all times. Maintaining the License File The Principal Project Officer (PPO) is accountable for having all pertinent information listed below in a License file. License File Checklist The PPO shall maintain a License file in the secure project office where the licensee stores the restricted-use data. This file must contain the following items: copies of s received from the IES Data Security Office the License and its attachments, which are: (1) a description of research (2) the Privacy Act of 1974 (5 U.S.C. 552a) and IES-specific laws (3) the Security Plan Form any amendments to the License document and related s a current list of all individuals who may have access to the data, along with copies of their notarized Affidavits of Nondisclosure Note: All project staff shall both READ and UNDERSTAND this material. All individuals who have access to the subject data must be fully aware of the required security requirements and procedures. (The Principal Project Officer is 19

20 directly responsible for ensuring that all project staff understand and implement all of the required security procedures.) Submitting Research Publications If the licensee intends to publish or distribute any information product that uses the subject data where unauthorized persons will have access, then the licensee must submit an advance copy of the product to the IES Data Security Office via prior to its publication or access by nonlicensed individuals. Once the document has been cleared by the IES Data Security Office, the licensee may distribute the document as desired. Research Publication Checklist The PPO shall forward a copy of each publication containing information based on restricted-use data to the IES Data Security Office for a disclosure review. For all datasets produced by IES or NCES, licensees are required to round all unweighted sample size numbers to the nearest ten (nearest 50 for ECLS-B) in all information products (i.e.: proposals, presentations, papers or other documents that are based on or use restricteduse data). For all other datasets, including administrative datasets produced by other agencies within the Department of Education (e.g. EDFacts, CRDC, etc.), disclosure avoidance standards will vary. The required disclosure avoidance measures for these non- IES datasets will be listed in a readme.txt file included with that specific dataset. Licensees are required to provide a draft copy of each information product that is based on or uses restricted-use data to the IES Data Security Office for a disclosure review. The licensee must not release the information product to any person not authorized to access the data until formally notified by IES that no potential disclosures were found. This review process usually takes 3 to 5 business days. Passing On-Site Inspections The License (Section IV.G) gives IES the right to conduct unannounced, unscheduled inspections of the licensee's secure project office to assess compliance with the provisions of the License, security procedures (see Chapter 3), and the licensee's submitted Security Plan Form. (The inspection procedures are described in Chapter 4, and a copy of the On-Site Inspection Guideline can be found in Appendix K.) Any violation found during the inspection may subject the licensee to immediate revocation of the License by IES, or report of the violation to the U.S. Attorney. On-site Inspection Checklist When an on-site inspection is conducted, IES will provide formal notification of any violations of the required security procedures. If violations are reported, the licensee must take the following steps: Correct all identified security violations. Notify IES in writing of the corrective measures. 20